In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and insert a backdoor plugin, by uploading a crafted XML document as a User XML Plugin.
An attacker with the Journal Editor role uploads a crafted XML document through the User XML Plugin function. The document contains malicious external entities (XXE) that are processed by the application without proper validation. By exploiting this vulnerability, the attacker can create a new role with super administrator privileges in the journal context and inject a malicious plugin acting as a backdoor.
An attacker can obtain full administrative privileges in the system and install a backdoor plugin, enabling persistent, unauthorized access to the platform, data theft, and further system compromise.
Update PKP OJS, OMP, or OPS platforms to version 3.3.0.21 or later (for the 3.3.x branch) or to version 3.4.0.8 or later (for the 3.4.x branch). Until updating, it is recommended to restrict access to the User XML Plugin functionality and monitor the activity of users with the Journal Editor role.
Public Knowledge Project (PKP) OJS, OMP, and OPS in versions before 3.3.0.21 and in the 3.4.x branch before version 3.4.0.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H